Another day, another challenge.
Today’s blog post we will be solving the challenge, “My First SQL” from the PicoCTF.
Let’s get started.
Going to the challenge we see:
OK… we need to access a website, but we do not have the password. Let’s see what the hints give us.
Clicking the website link we see:
Doing a right click, view page source we see:
We do not see anything useful. We have a form that is looking for a username and password.
Going back to the hints, let’s do a Google search of SQL Injection.
After doing the search we have a link, that specifies how to do a SQL injection to do login bypass.
Let’s do it.
Going back to the website, we see that we have a username and password.
Let’s try using a username of “admin”
and a password of ” ‘ OR ‘1’=’1′ ”
Pressing login we get:
We found the flag, and acquired 50 points!
